The advanced persistent threat (APT) espionage group known as MuddyWater, which is widely thought to be operated by the Iranian Ministry of Intelligence and Security, has launched a new campaign against Israeli government targets, according to a report from cybersecurity firm Deep Instinct.
That campaign, uses a file-sharing service called Storyblok to host a multistage infection package for target computers, according to the report from the Deep Instinct Threat Lab. The infection package takes the form of an archive, which contains a LNK shortcut at the bottom of a chain of folders. The shortcut, when opened, activates an executable from a hidden folder contained in the archive, installing a legitimate remote administration tool on the target system and letting the MuddyWater group spy on the machine.
The new attack is particularly clever, according to Deep Instinct, because of an extra layer of deception — the malicious executable is designed to look like a file folder, not a program, and pops up a real Windows Explorer folder containing a copy of an actual Israeli government memo about social media information control at the same time it installs the remote administration software.
Deep Instinct’s blog post on the attacks noted that the Storyblok attack may have a secondary phase after infection.
“After the victim has been infected, the MuddyWater operator will connect to the infected host using the legitimate remote administration tool and will start doing reconnaissance on the target,” the company said. “After the reconnaissance phase, the operator will likely execute PowerShell code which will cause the infected host to beacon to a custom C2 server.”
MuddyWater known to have attacked Israel, other countries
Deep Instinct has reported on the MuddyWater group’s changing tactics for years, tracking activity against telecom, government, defense contractor and energy organizations in numerous countries, not just Israel.
It’s not clear how the current Storyblok attack is being spread, but the group has used spear phishing techniques in the past, containing either Word documents with links to a payload or direct links. MuddyWater has also used HTML attachments, rather than direct links, to allay suspicion, since archives and executables are much more obvious security risks than simple web links. The group is thought to have been active since 2020.
Deep Instinct’s blog post provides a lengthy list of indicators of compromise in the form of MD5 values, and can be viewed here.